CVE-2020-2754: Medium severity ibm engineering requirements quality assistant vulnerability

Q: What is the severity of CVE-2020-2754?

CVE-2020-2754 is classified as a medium severity vulnerability.

Q: How do I fix CVE-2020-2754?

To fix CVE-2020-2754, update to the recommended versions of OpenJDK provided in the advisory.

Q: What is the impact of CVE-2020-2754?

CVE-2020-2754 can lead to unexpected exceptions during the processing of specially crafted regular expressions.

Q: Which versions are affected by CVE-2020-2754?

CVE-2020-2754 affects multiple versions of OpenJDK before the fixed releases.

Q: Is CVE-2020-2754 present in Oracle JDK?

Yes, CVE-2020-2754 is also applicable to certain versions of Oracle JDK and JRE.

Published Apr 12, 2020

Updated

A flaw was found in the Nashorn JavaScript engine in the Scripting component of OpenJDK. Processing of the forward references prior to checking for regular expression syntax errors could cause an unexpected exception to be raised when processing a specially crafted regular expression.

Other sources

An unspecified vulnerability in Java SE related to the Java SE Scripting component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.

— IBM

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Affected Software

139 affected componentsFixes available

redhat/java<1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10

1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10

redhat/java<1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10

1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10

redhat/java<11-openjdk-1:11.0.7.10-4.el7_8

11-openjdk-1:11.0.7.10-4.el7_8

redhat/java<1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8

1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8

redhat/java<1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7

1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7

redhat/java<11-openjdk-1:11.0.7.10-1.el8_1

11-openjdk-1:11.0.7.10-1.el8_1

redhat/java<1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1

1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1

redhat/java<1.8.0-ibm-1:1.8.0.6.10-1.el8_2

1.8.0-ibm-1:1.8.0.6.10-1.el8_2

redhat/java<1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0

1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0

redhat/java<11-openjdk-1:11.0.7.10-1.el8_0

11-openjdk-1:11.0.7.10-1.el8_0

debian/openjdk-11

11.0.24+8-2~deb11u111.0.25~5ea-1

debian/openjdk-8

8u422-b05-1

IBM Engineering Requirements Quality Assistant On-Premises<=All

Oracle JDK=1.8.0-update241

Oracle JDK=11.0.6

Oracle JDK=14.0.0

Oracle JRE=1.8.0-update241

Oracle JRE=11.0.6

Oracle JRE=14.0.0

Oracle OpenJDK>=11<=11.0.6

Oracle OpenJDK>=13<=13.0.2

Oracle OpenJDK=7

Oracle OpenJDK=7-update1

Oracle OpenJDK=7-update10

Oracle OpenJDK=7-update101

Oracle OpenJDK=7-update11

Oracle OpenJDK=7-update111

Oracle OpenJDK=7-update121

Oracle OpenJDK=7-update13

Oracle OpenJDK=7-update131

Oracle OpenJDK=7-update141

Oracle OpenJDK=7-update15

Oracle OpenJDK=7-update151

Oracle OpenJDK=7-update161

Oracle OpenJDK=7-update17

Oracle OpenJDK=7-update171

Oracle OpenJDK=7-update181

Oracle OpenJDK=7-update191

Oracle OpenJDK=7-update2

Oracle OpenJDK=7-update201

Oracle OpenJDK=7-update21

Oracle OpenJDK=7-update211

Oracle OpenJDK=7-update221

Oracle OpenJDK=7-update231

Oracle OpenJDK=7-update241

Oracle OpenJDK=7-update25

Oracle OpenJDK=7-update251

Oracle OpenJDK=7-update3

Oracle OpenJDK=7-update4

Oracle OpenJDK=7-update40

Oracle OpenJDK=7-update45

Oracle OpenJDK=7-update5

Oracle OpenJDK=7-update51

Oracle OpenJDK=7-update55

Oracle OpenJDK=7-update6

Oracle OpenJDK=7-update60

Oracle OpenJDK=7-update65

Oracle OpenJDK=7-update67

Oracle OpenJDK=7-update7

Oracle OpenJDK=7-update72

Oracle OpenJDK=7-update76

Oracle OpenJDK=7-update80

Oracle OpenJDK=7-update85

Oracle OpenJDK=7-update9

Oracle OpenJDK=7-update91

Oracle OpenJDK=7-update95

Oracle OpenJDK=7-update97

Oracle OpenJDK=7-update99

Oracle OpenJDK=8

Oracle OpenJDK=8-update101

Oracle OpenJDK=8-update102

Oracle OpenJDK=8-update11

Oracle OpenJDK=8-update111

Oracle OpenJDK=8-update112

Oracle OpenJDK=8-update121

Oracle OpenJDK=8-update131

Oracle OpenJDK=8-update141

Oracle OpenJDK=8-update151

Oracle OpenJDK=8-update152

Oracle OpenJDK=8-update161

Oracle OpenJDK=8-update162

Oracle OpenJDK=8-update171

Oracle OpenJDK=8-update172

Oracle OpenJDK=8-update181

Oracle OpenJDK=8-update191

Oracle OpenJDK=8-update192

Oracle OpenJDK=8-update20

Oracle OpenJDK=8-update201

Oracle OpenJDK=8-update202

Oracle OpenJDK=8-update211

Oracle OpenJDK=8-update212

Oracle OpenJDK=8-update221

Oracle OpenJDK=8-update231

Oracle OpenJDK=8-update241

Oracle OpenJDK=8-update25

Oracle OpenJDK=8-update31

Oracle OpenJDK=8-update40

Oracle OpenJDK=8-update45

Oracle OpenJDK=8-update5

Oracle OpenJDK=8-update51

Oracle OpenJDK=8-update60

Oracle OpenJDK=8-update65

Oracle OpenJDK=8-update66

Oracle OpenJDK=8-update71

Oracle OpenJDK=8-update72

Oracle OpenJDK=8-update73

Oracle OpenJDK=8-update74

Oracle OpenJDK=8-update77

Oracle OpenJDK=8-update91

Oracle OpenJDK=8-update92

Oracle OpenJDK=14

NetApp Active Iq Unified Manager Windows>=7.3

NetApp Active Iq Unified Manager Vsphere>=9.5

NetApp E-Series SANtricity OS Controller>=11.0.0<=11.60.1

NetApp Snapmanager Sap

NetApp Snapmanager Oracle

NetApp Storagegrid>=9.0.0<=9.0.4

NetApp Storagegrid

Fedoraproject Fedora=30

Fedoraproject Fedora=31

Fedoraproject Fedora=32

openSUSE Leap=15.1

openSUSE Leap=15.2

Canonical Ubuntu Linux=16.04

Canonical Ubuntu Linux=18.04

Canonical Ubuntu Linux=19.10

Debian Debian Linux=9.0

Debian Debian Linux=10.0

McAfee ePolicy Orchestrator=5.9.0

McAfee ePolicy Orchestrator=5.9.1

McAfee ePolicy Orchestrator=5.10.0

McAfee ePolicy Orchestrator=5.10.0-update_1

McAfee ePolicy Orchestrator=5.10.0-update_2

McAfee ePolicy Orchestrator=5.10.0-update_3

McAfee ePolicy Orchestrator=5.10.0-update_4

McAfee ePolicy Orchestrator=5.10.0-update_5

McAfee ePolicy Orchestrator=5.10.0-update_6

McAfee ePolicy Orchestrator=5.10.0-update_7

McAfee ePolicy Orchestrator=5.10.0-update_8

Event History

Apr 12, 2020

Data Sourced

via Red Hat·04:02 PM

DescriptionSeverityAffected Software

Apr 14, 2020

CVE Published

12:00 AM

Apr 15, 2020

CVE Published

via MITRE·01:29 PM

Data Sourced

via MITRE·01:29 PM

DescriptionSeverityWeakness

Jan 11, 2024

Data Sourced

via Launchpad·11:47 PM

Description

Sep 13, 2024

Data Sourced

via Ubuntu·07:30 AM

RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is the severity of CVE-2020-2754?

CVE-2020-2754 is classified as a medium severity vulnerability.

How do I fix CVE-2020-2754?

To fix CVE-2020-2754, update to the recommended versions of OpenJDK provided in the advisory.

What is the impact of CVE-2020-2754?

CVE-2020-2754 can lead to unexpected exceptions during the processing of specially crafted regular expressions.

Which versions are affected by CVE-2020-2754?

CVE-2020-2754 affects multiple versions of OpenJDK before the fixed releases.

Is CVE-2020-2754 present in Oracle JDK?

Yes, CVE-2020-2754 is also applicable to certain versions of Oracle JDK and JRE.

CVE-2020-2754: Medium severity ibm engineering requirements quality assistant vulnerability

Other sources

Affected Software

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2020-2754?

How do I fix CVE-2020-2754?

What is the impact of CVE-2020-2754?

Which versions are affected by CVE-2020-2754?

Is CVE-2020-2754 present in Oracle JDK?

Company

Resources

Contact